WordPress Login Security: 2FA, Custom URLs, and Best Practices

Your WordPress login page is under constant attack. Wordfence blocks 65 million brute force attempts every day across their network. The question is not whether attackers will try to break into your site. It is whether your login is protected when they do.

The Login Page Problem

Every WordPress site has the same login URLs by default. wp admin and wp-login.php are universal. Attackers do not need to find your login page. They already know where it is.

With over 810 million WordPress sites on the web, automated bots scan for these default URLs constantly. Once they find your login page, they hammer it with password guesses until something works or they get blocked.

According to Sucuri, 81% of attacks on WordPress sites are based on insecure or stolen passwords. The login page is where those attacks happen. Protecting it is not optional.

Two Factor Authentication

Two factor authentication adds a second verification step beyond your password. Even if an attacker guesses or steals your password, they cannot log in without also having access to your second factor.

Many security experts consider 2FA the single most effective security measure you can implement. It stops credential theft, phishing attacks, and brute force attempts cold.

After entering your password, you are prompted for a code from your authenticator app. This code changes every 30 seconds and is tied to a secret key stored on your device. Without physical access to your phone or security key, an attacker cannot generate the correct code.

The most common method is TOTP (Time based One Time Password), which works with apps like Google Authenticator, 1Password, Authy, and Microsoft Authenticator. You scan a QR code during setup, and the app generates codes for you going forward.

Use an authenticator app, not SMS. SIM swapping attacks make SMS based 2FA less secure. Authenticator apps are not vulnerable to this. Require 2FA for all admin accounts. At minimum, every user who can modify content or settings should have 2FA enabled. Generate backup codes. If you lose access to your authenticator device, backup codes let you recover your account.

Custom Login URLs

Changing your login URL from the default wp-login.php to something unique is a simple way to reduce automated attacks. Bots programmed to scan for default WordPress URLs will not find your login page if it is at my-secret-login instead.

A custom login URL provides protection against automated brute force bots that target default paths, username enumeration attempts, and spam scripts looking for login forms.

When someone visits wp admin or wp-login.php on a site with a custom login URL, they get a 404 error. The attack stops before it starts because there is nothing to attack.

Custom login URLs are security through obscurity. A determined attacker who specifically targets your site will eventually find your login page. This is why custom URLs should be combined with other protections, not used alone. Think of it as one layer in a defense in depth strategy. It filters out automated noise so your other protections can focus on real threats.

What Most People Get Wrong

In my experience, the biggest mistake is relying on just one protection. I have seen sites with two factor authentication but no rate limiting. Sites with custom login URLs but weak passwords. Sites with rate limiting but an open XML RPC backdoor. No single protection is enough.

The second mistake is forgetting about XML RPC. Most WordPress users do not know about it. It is an old protocol for remote publishing that sits at xmlrpc.php. The problem is that it allows multiple login attempts in a single HTTP request through the system.multicall method. An attacker can try 500 passwords in one request, bypassing many rate limiters that only count HTTP requests. If your brute force protection does not specifically handle XML RPC, you have a hole in your defenses.

The third mistake is using the admin username. If you have a user called admin, attackers already know half the credentials. Change it.

The fourth mistake is thinking strong passwords are enough. They help, but if there is no rate limiting, an attacker can make millions of attempts. Eventually something might work.

Login Attempt Limiting

Brute force attacks work by trying thousands of password combinations. Without rate limiting, an attacker can try unlimited passwords until one works.

Login attempt limiting blocks an IP address after a certain number of failed attempts. If someone fails 5 logins in a row, they get locked out for 15 minutes. If they keep trying after lockouts expire, the lockout duration increases.

Good rate limiting means progressive lockouts where repeat offenders face longer lockouts, not the same duration every time. It means IP tracking so failed attempts are tracked by IP address across sessions. It means XML RPC protection so the endpoint allows multiple login attempts in a single request. And it means logging so you can see who is trying to break in and from where.

Strong Passwords Still Matter

All of these protections assume attackers need to guess your password. If your password is admin123 or Summer2024, it will not take many guesses.

A truly random 20 character password would take longer than the age of the universe to crack via brute force. The question is whether you are using one.

Use a password manager. Let it generate and remember complex passwords for you. Never reuse passwords. If your password is leaked from another site, attackers will try it on your WordPress login. Check haveibeenpwned.com. See if your email or passwords have appeared in data breaches.

Putting It All Together

Defense in depth means layering multiple security measures so that if one fails, others still protect you.

Two factor authentication stops stolen or guessed passwords and phishing. Custom login URLs stop automated bot scans and casual attackers. Login attempt limiting stops brute force attacks and credential stuffing. XML RPC blocking stops amplified brute force via multicall. Strong passwords stop dictionary attacks and password guessing.

Each layer reduces your attack surface. Together, they make your login page far more secure than any single protection could achieve alone.

The Reality

Your login page is the front door to your WordPress site. Attackers know where it is, and they are trying to get in right now.

Two factor authentication is your strongest defense. A custom login URL filters out automated noise. Rate limiting stops brute force attacks. XML RPC blocking closes a commonly overlooked hole. Strong passwords make guessing infeasible.

That is why we built our plugin to handle all of these together. You should not have to piece together login security from five different solutions. It should just work.